Privacy Policy

Last updated: May 7, 2026

What This Policy Covers

Cadento ("we," "our," or "us") provides a calendar-based email marketing planning tool. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service at cadento.co.

Information We Collect

1. Account Information

When you create a Cadento account, we collect:

  • Your name
  • Email address
  • Hashed password (we never store plaintext passwords)

2. Klaviyo Data (When You Connect)

When you authorize Cadento to access your Klaviyo account via OAuth, we retrieve and store:

  • Campaign metadata: campaign names, send dates, scheduled dates, subject lines, status (sent/scheduled/draft)
  • Email creative HTML: the rendered HTML of sent emails for preview purposes
  • Campaign performance metrics: sends, opens, clicks, revenue (if you have Placed Order tracking configured in Klaviyo)
  • Account identifier: your Klaviyo account ID and name

We only request read-only access. Cadento cannot send emails, delete campaigns, or modify any data in your Klaviyo account. Our OAuth scopes are: accounts:read campaigns:read templates:read

3. Usage Information

We collect basic analytics to understand how Cadento is used:

  • Pages visited and features used
  • Browser type and device information
  • Error logs (to fix bugs)

How We Use Your Information

  • Provide the service: Display your campaigns on the calendar, show email previews, track performance metrics
  • Improve the product: Fix bugs, develop new features, optimize performance
  • Communicate with you: Send service updates, respond to support requests

We do not:

  • Sell or share your data with third parties
  • Use your data for advertising
  • Train AI models on your campaigns or customer data

Where Your Data Is Stored

Data TypeStorage LocationEncryption
Account info, campaignsNeon (PostgreSQL)
US East (AWS)
At rest + in transit
Klaviyo access tokensNeon (PostgreSQL)
US East (AWS)
AES-256-GCM + at rest
Email screenshotsScreenshotOne CDN
Cached 30 days
HTTPS in transit
Figma OAuth tokensNeon (PostgreSQL)
US East (AWS)
AES-256-GCM + at rest
Figma screenshotsFigma CDN
Generated on-demand
HTTPS in transit

All infrastructure is hosted in the United States. Passwords are hashed with bcrypt. Klaviyo OAuth tokens are encrypted with AES-256-GCM before database storage.

Third-Party Services

Cadento uses these third-party services:

  • Klaviyo: We retrieve campaign data from your Klaviyo account via their API. See Klaviyo's Privacy Policy.
  • ScreenshotOne: We send email HTML to ScreenshotOne to generate thumbnail images. Screenshots are cached on their CDN for 30 days. See ScreenshotOne's Privacy Policy.
  • Figma: If you connect Figma, we retrieve thumbnails of linked design files via their API (read-only scope: file_content:read). We store only the file URL and screenshot — no design data or editing history. See Figma's Privacy Policy.
  • Vercel: Our application is hosted on Vercel's serverless infrastructure. See Vercel's Privacy Policy.
  • Neon: Our database is hosted on Neon's PostgreSQL platform. See Neon's Privacy Policy.

Your Rights

You have the right to:

  • Access your data: Request a copy of all data we store about you
  • Delete your data: Delete your account and all associated data
  • Disconnect Klaviyo: Revoke Cadento's access to your Klaviyo account at any time (Settings → Disconnect Klaviyo)
  • Correct inaccuracies: Update your account information

To exercise these rights, email hello@cadento.co.

Data Retention

  • Active accounts: We retain your data for as long as your account is active
  • Deleted accounts: When you delete your account, we permanently delete all your data within 30 days
  • Disconnected Klaviyo: When you disconnect Klaviyo, we delete your OAuth tokens immediately. Campaign data remains in your Cadento account unless you delete it manually or delete your account
  • Screenshots: Email screenshots cached by ScreenshotOne expire after 30 days

Security

We implement industry-standard security measures:

  • HTTPS encryption for all data in transit
  • AES-256-GCM encryption for OAuth tokens at rest
  • Bcrypt password hashing
  • PKCE (Proof Key for Code Exchange) for OAuth flows
  • Database encryption at rest (Neon)
  • Regular security audits and updates

No system is 100% secure. If you discover a security vulnerability, please report it to hello@cadento.co.

Children's Privacy

Cadento is not intended for users under 18. We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the "Last updated" date at the top
  • Notify you via email if changes are material
  • Post a notice in the app

Contact Us

Questions about this Privacy Policy or how we handle your data? Reach out:

Email: hello@cadento.co

Data Processing Agreement

If you need a Data Processing Agreement (DPA) for GDPR or other compliance purposes, we provide one upon request. Email hello@cadento.co or visit our DPA page.